Security Certificates

zekiel

Hi all,

I've got a prob with a security cert site im working on at the moment.
Here's goes:
The initial problem is the cert is installed, when we go to the site it comes up: "this is not a trusted site blah blah blah, do you wish to proceed" I click yes and off I go to the site.
Ok what I want to be able to do is have another popup that gives you a request as to if you would like to install this cert into your trusted cert's folder.
I've scoured around technet on microsoft to no avail. I'm in need of a script that will popup offering you the ability to install this cert.

Any takers?:cool:

Capt'n Midnight

http://www.freecert.org/ - you can get free certs.

not the solution - but maybe they might work better...

Truth be told I would not be supprised if our redmount friends view passport as the solution....

zekiel

Unfortunately Midnight this is for a company's security, I aint got a say in what they install.
Here's the script I'm using to install the MS security cert through the client browser, unfortunately I cant get it to work.. I've done that required mods to it but to no avail. It simply prompts me that this is not a trusted site do you wish to proceed.
I want it to install into the trusted security folder in the clients browser, so this isnt required anymore.

<HTML>
<HEAD>
<TITLE>Installing A Root Certificate</TITLE>
<BR>Root Certificate Authority Installation
<BR>
<BR>

<%@ LANGUAGE="VBScript"%>
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set MyFile = fs.OpenTextFile("c:\certificates\base64.cer", 1)

Output = ""

Do While MyFile.AtEndOfStream <> true
line = Chr(34) & MyFile.ReadLine & Chr(34)
If MyFile.AtEndOfStream <> true then
line = line & " & _" & Chr(10)
End If
Output = Output & line
Loop

MyFile.Close

Set MyFile = Nothing
Set fs = Nothing
%>

<SCRIPT language="VBSCRIPT">
on error resume next
Dim Str, CEnroll

Set CEnroll = CreateObject("CEnroll.CEnroll.1")
Str = <% Response.Write Output %>

CEnroll.installPKCS7(Str)

Set CEnroll = Nothing
</SCRIPT>
</HEAD>
</HTML>

Any help is much appreciated.:D

Dizz

Having never used VBScript before (and I know why from reading that! ) I can't really comment on the code only that for it to have any chance of running it must be executed server side due to security restrictions (ie a script reading from local disk!). I do remember from working with certificate enrollment on W2K advanced server that there is a series of pages that do something similar to what you want - grab a copy of it or better still Windows Server 2003 and go snooping the code.

Dizz

retneil

u wont be able to do what you want to do unless you send a user to wherever the root ca cert is and get them to install the public key.. The box that appears is a generated IIS active x prompt that is standard... Only way around is to ensure that users install the trusted root ca public key when say they register or something for tghe site.. You cannot get in between that box.. If you drop some more info back such as a link i may be able to take a look or even if you could spec out the exact config u are setting up IE: are u using client certificates.. I presume you are using MS Certificate Server and will it be on a website or is it for client authentication in a PKI manner or is it to be used internally in a corporate domain structure that runs Actvie directory or is it for a site on the internet whereupon a third party CA issued by verisign is probably a better option... Need more detail though...

zekiel

Its working of a Root company certificate server in a corporate domain structure, yes it the ms one. The main purpose is for loggin timesheets for people inside the company domain and for people out on site. So it will be for both internal and external use.
The company has its own root certificate server, and will publish to whichever other server requires one.
Your right about what the script does. The initial idea is that we want to force an install popup and enable the user to install the cert straight off without having to download it first. After which its an acceptable and verified site.
Its running off IIS4-5 with SSL implemented.
:ninja:

retneil

I just wrote a huge response however Vbulletin booted me out with some sort of timeout so this one will be shorter..

3 options : Use active directory to imnplement the root ca installaton by trusting the computer in the domain OU structure and assigning the trusted root ca. 2.Otherwise use VBS script to add a logon script that runs and installs the root CA when the users logs on. 3.Use IEAK that administers IE browsers inside a corporate domain structure.

For outside if the computers are known to be secure use a VPN and add them to the AD OU structure in a controlled environment whereby there system is locked down and secured before givcing out the root CA. Ensure that no-one logs on to the conputers that are accessing from externally IE malicous users. Or just send the VBS script to them and get them to run as if you are prompting for client certificates should be ok to allow the root ca to be oin a web server somewhere.

Read a decent book on PKI and u should be fine drop us a line back if you any Q?s as i have worked on PKI before...

retneil

here is the type of code for the VBS script use at a user logon and assign at the OU / domain level

its fairly self explanatory..

set WshShell = CreateObject("WScript.Shell")

WshShell.Run "C:\vnc\setup.exe"
WScript.Sleep 2000
While WshShell.AppActivate("Setup") = FALSE
wscript.sleep 1000
Wend
WshShell.AppActivate "Setup"
WScript.Sleep 500
WshShell.SendKeys "%Y"
WScript.Sleep 502

Capt'n Midnight

Is it any use trying to set up using an msi ?

zekiel

Much appreciated lads thanks.:D

zekiel

Much appreciated lads thanks.:D

retneil

no i dont believe that an MSI would be of any benefit in this instance.. Should be fairly handy once the VBS is written you can use the domain structure already in place to assign the extra vb script to any relevant users who shall be using the site..